Posted
by
ScuttleMonkeyon Thursday May 01, 2008 @01:29AM
from the sekrit-dockumints dept.

sgunhouse writes to mention Wired's Threat Level has a piece on a recently-declassified document detailing the history of TEMPEST. "It was 1943, and an engineer with Bell Telephone was working on one of the U.S. government's most sensitive and important pieces of wartime machinery, a Bell Telephone model 131-B2. It was a top secret encrypted teletype terminal used by the Army and Navy to transmit wartime communications that could defy German and Japanese cryptanalysis. Then he noticed something odd. Far across the lab, a freestanding oscilloscope had developed a habit of spiking every time the teletype encrypted a letter. Upon closer inspection, the spikes could actually be translated into the plain message the machine was processing. Though he likely didn't know it at the time, the engineer had just discovered that all information processing machines send their secrets into the electromagnetic ether."

I remember the old AN/YUK-83's and AN/YUK-85's. Big green ugly tempest shielded pc boxes. In the mid-90's they decided to replace all the old 8086 and 286 machines with 386 and a few 486 based systems for tactical units. Instead of just going out and buying new modern 486 and Pentium computers at around $2000 a piece, the US government paid a company, now defunct, C3 to make custom upgrade motherboards that could fix in the old Tempest cases... Cost per unit? Over $10,000. And they ran considerably slo

Unless you are using a fiber optic cable with a transparent sheath [flickr.com], there shouldn't be any kind of detectable emissions from a fiber optic cable, especially not EMF, since there shouldn't be any moving electric current, right?

The line might heat up very slightly from the signal losses, but that wouldn't be rapid enough to reveal anything useful about the signal, especially if manchester encoding [wikipedia.org] is used, where the light would be on 50% of the time.

There is no electric current in a fiber optic cable. EMF if of no concern and the "line" does not heat up. For the amount of power that data transmission lasers use, it is not anywhere enough to heat up glass.
One way I know the both the DoD and CIA are using to try and "reveal" signals through fiber is at the bends, since if the fiber is not *completely* straight, some of the signal is leaked into the cladding and can be captured. This was the master's thesis of a friend of mine in grad school. He got abou

One way I know the both the DoD and CIA are using to try and "reveal" signals through fiber is at the bends, since if the fiber is not *completely* straight, some of the signal is leaked into the cladding and can be captured.

sniffing fiber by bending to allow leaks has been a commercial possibility for at least the last 10 years, so i doubt very much they are mearly "trying" to reveal signal.

I recall seeing an all in one fibre/bending/sniffing device for about $500 bucks and that was a few years ago.

In this case, I believe that it's just legacy. CRTs were (are) sniffable and the old-school coax lines certainly had EMF concerns. The switch was made from coax to fiber and they kept the proximity rules the same.

Unless you are using a fiber optic cable with a transparent sheath, there shouldn't be any kind of detectable emissions from a fiber optic cable, especially not EMF, since there shouldn't be any moving electric current, right?

Well, that's one possibility. What if photons create, instead of an electrical field, some other type (gravitational?) and we just haven't noticed yet because the interaction is so minor and nothing "tuned" to its wavelength has produced an accidental discovery like this one?

Actually, this effect was exploited in ignition coils before this, so I think that saying that he made the discovery is a bit disingenuous. It's more that he had discovered something new to do with it. If it hadn't happened then, we

The reason to seporate fiber cables is not because of EMF. The reason is so that visual inspection can take place. If the cables where layed in the same conduit how could you varify that as some point they were con cross connected. But if they are 18 inches apart over the entire run visual inspection becomes easier and certainly less costly.One thing people fail to understand is that the cost of a system includes Design, Contruction and TEST. If the designer is smart he can greatly reduce the cost of the

Lasers and light are indeed made from electromagnetic fields, and do radiate away from the transmission medium (the fiber). This effect is called evanescent wave coupling.

One fiber with photons travelling through it placed next to an empty fiber will generate photonic energy in the empty fiber that matches the phase/frequency/modulation of the original signal. The length of the section of the fibers next to each other determines the percentage of energy transferred. This is how optical couplers/spli

While I have no idea as to the particulars here, it wouldn't be unreasonable if this was just a bright-line rule (that applied regardless of the type of cabling). That way you don't have to worry about someone putting a cable tray close because it's filled with fiber and then have someone else run a copper cable through it later.

but once it's transmitted, it's encrypted. They'd have to pick up the EM thingies from a chip inside the computer, right? I mean in modern times, we don't really have to worry about this at all, right? Cuz there's so much else being processed and sent down a bus by the processor that you'd never pick out the data accurately, and probably not from more than a millimeter away.

__t ___e ____ _r________, ____ ___r_____ ______ ____ _o ____ __ ___ __ ________ _r__ _ __i_ __s__ t__ computer, right? I mean in modern times, we don't really have to worry about this at all, right? Cuz there's so much else being processed and sent down a bus by the processor that you'd never pick out the data accurately, and probably not from more than a millimeter away.

Sir he just sent a secret message to Mr. Slas H Dot again. TEMPEST couldn't make it all out but it should be enough to indite.

The NSA is the number one employer of mathematicians in the USA. The Russians are also supposed to be very good. If there is a way to extract intelligence from the noise, they probably know about it. If it's electrical, it radiates. If it radiates, someone else can detect it. If the signal is weak, they can build a better antenna, design a more sensitive receiver, and use more sophisticated signal processing.

Look at your average PC. The keyboard and display are broadcasting tons of inf

You know, that sounds ridiculous to me, as well, but I've known enough people working on various imaging and other classified projects to know that these things aren't done arbitrarily and to know that sometimes requirements are dictated down because the real goal is some secondary effect of the requirement.

I love the simple solution"Instead of buying this monster, the Signal Corps resorted to the only other solution they could think of. They went out and warned commanders of the problem, advised them to control a zone about 100 feet in diameter around their communications center to prevent covert interception, and let it go at that."

I didn't know it went all the way back to WWII. Once again, I am amazed at how much transpired in just that short few years. It's as if 100 years of history and scientific discovery were packed into 10.

And by the way, I don't think it was just because there was a huge war going on. The history of mankind is full of wars, and none of them were associated with such leaps forward in math, physics, materials, and communications. Nukes, jet aircraft, RADAR, plastic, computers, rockets, cryptography, all at once almost. I just don't think we could develop, e.g. a new fighter plane in 3 years now regardless of the resources, it's too complex. If there are a million advanced civilizations out there in space,

I agree. I'm sure they have a name for it. But, it's still going on. You're right about the fighter jet and the time it would take to develop a new one. But that is most likely because we don't need a brand new type right now. Necessity is the mother... cliche, but extremely true, and not just for invention.
Read some Kurzweil. I'm not saying that all his predictions are going to come true, or even in the time frame that he suggests. But, it is amazing the perspective it gives you. The Internet is only abo

These days you can go into a data center and see small room-buildings built into the data center which are designed to act as a faraday cage, they have copper mesh over the windows etc etc. A data center is already a difficult environment for this type of work because it's so noisy... But it's easy to get equipment into, just rent a rack.

My company used to rent a SCF (secure computing facility). It was based on the building-inside-a-building approach. The theme from 'Get Smart' always played in my head whenever I went in to the office...:-)

Are you saying the they rent rack space inside the shielded rooms? Surely not, as that would defeat the entire purpose. You could just put your sniffing kit into a rackmount enclosure and rent some space in the same shielded room as your target. The lack of noise would make it much easier to sniff.

There are secure rooms like that at Lockheed. Except for one little detail... one day they noticed that vines were coming up around the border of wall and floor. Seems they'd lavished security on the walls and ceiling, but til the vines invaded, had totally forgotten about the floor!!

I worked in a TEMPEST shielded flight simulator bay in the 80's. The entire place was sealed, shielded. Dual door airlock to enter/exit. Power came in and spun a motor which spun a generator so there were zero wires leaving the room that were attached to any equipment inside the room.After it was constructed I remember when it got tested and certified. The main bay was all metal walls and ceiling. If they found a tiny RF leak they'd spot weld over it When done the inside walls looked like a set from a

Ideally you need a fairly old computer for this, with a monitor that scans at normal TV frequencies. I've done this with an Amstrad PCW, which is particularly suitable because the plastic case leaks a lot of RF.

You're also going to need a portable black-and-white TV, a decent aerial, and maybe an aerial booster.

Testing is simple - put a recognisable image up on the screen. This can be the startup screen of an application, a directory listing, even an ASCII-art goatse if you're so inclined. The key is is *must* be a monochrome screen with pixels that are on or off - it won't work with greyscale. There's a subtle side-effect of this, which I'll come to in a moment.

Plug the aerial into the black and white TV. If you're more than a few feet away from the target computer, you're going to need the aerial. The signal you're trying to pick up is *tiny*. Tune the TV until you see what looks like a garbled version of the computer screen - an analogue tuner is best for this. The picture will be extremely weak and noisy, and it will also not be synchronised correctly. Now adjust the horizontal and vertical hold on the TV until you get a stable picture. You should at least be able to make out roughly what's on the screen.

To take it further, you need to break into the TV and add an AM radio. This detects the scanning coils in the monitor, and allows you to generate a sync pulse to lock the TV to the computer. You need to position the TV and AM radio very carefully so the radio isn't picking up the TV scan coils. This is the difficult bit, and in fact I've never got this part to work. I've got readable text off the computer screen before, from about 30 feet. I'd call that working.

Back to the greyscale thing briefly - antialiased fonts use grey pixels on either side of the black or white pixels to "blur" the edges and make the fonts look smoother. This has the effect of lowering the rise time of the signal, and thus not throwing as many harmonics out. Think about it - a switch from a black background to a white pixel is basically a squarewave, but if you step through a couple of shades of grey there's a much lower amplitude change and so the harmonics will be correspondingly quieter. So, anti-aliased fonts prevent Tempest-style attacks, and in fact about 15 years ago you could get "Tempest Fonts" that were basically very fuzzy antialiased fonts.

The other thing is that LCDs don't emit RF harmonics to nearly such an extent. The days of Tempest and Van Eck phreaking are pretty much gone.

Back in the mid-90s, I was visiting my parents who had one of those "television" things occupying space in their living room, and I noticed that the display from my laptop computer showed up on the screen. It wasn't really in sync, had about three copies of the text slowly scrolling by, but you could tell it was readable text. I don't remember what year it was, so the laptop may have been a 486 or a Pentium 75, or something around that range, and the screen might have been 800x600 but was probably 640x480 (because our IT bureaucracy was much more impressed with screens that had more colors than more pixels; even today I'm still stuck with 1024x768:-).

Since I'd done work with TEMPEST in the 1980s and was hanging out with a bunch of crypto people, and since the open-source discussions were mostly people saying "Laptops should protect you just fine since they're LCD", I obviously had to speculate about how this could be happening. My guess is that it wasn't the LCD itself that was radiating, but instead was the VGA jack on the back for plugging into a desktop monitor. Most laptops still have those today, and while many people use LCDs rather than CRTs as desktop monitors, they're still connecting by VGA signals using not-particularly-shielded cables, so there should still be plenty of signal around to listen for.

Obviously today's video signals are a lot higher frequency, so you'd need to use some actual computer equipment rather than squinting at a television. I don't know if the digital signal formats are easier or harder to intercept successfully than the VGA analog ones; maybe that'll help.

I recall something similar - Nintendo built video outputs onto the Nintendo DS, so that they could be shown on monitors at trade shows etc., and quite a few of the units on shop shelves at launch had some of the the hardware left in. It was possible to tune into the console (one of the screens, anyway, I forget which) on a common-or-garden TV.

There's lots of stuff which can be radiating. As you say, the input jack is a potential source of noise (although it's usually inside a metal case.) Various other cables are also there, like the flexible circuits inside the LCD monitor, the output jack on the computer... Even laptops can be read, after all.

Used to know a guy who was even older than me, and pretty good with RF back in the '80's. He could read my Apple ][+ monitor, until I switched from text to what Apple used to call "HiRes graphics". Dunno if he ever rebuilt his equipment and got the picture back, I never heard. It seemed like a peculiar (and slightly crackpot) hobby with no obvious application. Heh.

"Bell Telephone faced a dilemma. They had sold the equipment to the military with the assurance that it was secure, but it wasn't. The only thing they could do was to tell the [U.S. Army] Signal Corps about it, which they did."

Can you imagine a Government contractor coming clean these days? You're more likely to get someone like Dick Jones from OCP:

"I had a guaranteed military sale with ED 209. A renovation program. Spare parts for years. Who cares if it worked or not?"

I can imagine a contractor coming clean. I don't have any examples of it happening recently, but you haven't provided any examples that aren't from a dystopian fantasy.Plenty of people have terrible ethics and plenty of other people are horribly misguided or disinterested, but as sappy as it sounds, there are actually good people everywhere, working to make the world a better place.

I'd rather be lower middle class today than a king in any other period in history, only a megalomaniac would prefer to be a dir

Electromagnetic leakage was well known by 1943. So well known that sinece the mid 1930's the Navy had required all receivers to be specially designed as to not leak out any spurious signals such as the local oscillator, BFO, or IF signals. Plentifully documented in the user and service manuals of said radios.

The scope "spiked" because the teletype needed a whopping 60 milliamps of signal current from a high-voltage current-limited sou

Teletype Corp mitigated this somewhat by putting the electromagnet on the typing unit (and reperferating unit, if it had one) inside a double-layer metal shell.It was probably secure enough for 1960's era technology, but nowhere near good enough for today (as if there are any Teletypes running classified traffic anymore).

It's still a good idea to control the area outside your comm center out to 100 feet (or more). Prevents someone from walking up and planting a shaped charge on the outside wall.

Back in 1979 (IIRC), a college classmate and I discovered that our TI-55 [datamath.org] calculators would put out a blast of noise on the AM dial whenever something was written to the LED display! We tuned a nearby radio to the most effective frequency and started exploring.

Imagine our excitement when we discovered there was a different delay between bursts depending on how many LED segments were lit up! (That is, it took longer to display 88888888 than 11111111). Hey! We can make Music!! Fr

I was a radioman in the Coast Guard, we had to go through regular checks to make sure all our equipment was TEMPEST approved. Every 18 months ships go through 'Refresher Training' - all manner of drills and combat readiness training including radio and electronics. A favorite story about ensuring that things were TEMPEST approved was a navy ship that was tracked for days because of the microwave in the chief's mess, every time they popped up some corn the microwave was sending off spurrious emissions. The s

Though he likely didn't know it at the time, the engineer had just discovered that all information processing machines send their secrets into the electromagnetic ether."

Does that include my Dick Tracy secret decoder ring?

We've all heard stories of programming music on a radio from a Commodore PET, or reading the data by converting the flashes from a modem's transmit and receive LEDs, but I'm sure at the start of the electronics era (and especially in a crypto lab during a war) that the concept of being

The book Spycatcher details how shortly after WWII the British tapped the powerline feeding the coding machine in the French embassy in London. Electrical noise on the line could be correlated with different keys typed on the machine. When this book came out it was banned in Britain.

I got involved in this area when we wanted to use cheap PCs (actually Apple II's) back in the early 80's at a Fort Bragg command for classified processing and communications. (Instead of the multi-gazillion decades-old junk the vendors were selling us.)The signal security guys went nuts, impossible, can't do it, too insecure. Our CG said go ahead and do it, prove you can.. and let the NSA guys come and listen.

So we did. No problem with basically stock Apple II's, monitors, state of the art (then) commer

Years ago the NSA was spending boatloads of money to put copper shielding on all of their PCs and other gear. Then some smart engineer suggested that they shield the entire headquarters building. Nifty.

Seismics (a redacted section in the paper), I'm guessing, has to do with detecting vibrations. The crypto device they talk about apparently uses mechanical relays, which makes perfect sense. One should be able to detect when relay contacts close, and back out some useful information about it. Would love to hear the back story about that.
I have yet to come up with a reasonable hypothesis for "Flooding", after dedicating nearly a minute to thinking about it.

A modern version could involve embedding a couple of microphones in a table top with associated processing. When someone lays a keyboard down an starts typing, the arrival time of each key click can be used to determine which key was pressed.

My wild-ass guess is that flooding might refer to the technique that the Soviets developed during the Cold War. The developed a passive bug that was composed of a microwave resonant cavity with a flexible membrane on one end of the cavity. They would excite the cavity with a microwave transmitter located outside the building they were spying on. Sound would cause the membrane to vibrate, changing the resonant frequency of the cavity. This would modulate the signal emitted by the cavity. This signal could be

The true story is more romantic...The cavity was in the beak of the eagle of great seal of US, it was presented by Russian school children to the american ambassador.
It was not discovered but rather revealed by a Soviet Defector.I am sure someone will post a few links to provide more details.

Back in the late 80's I worked on some electronic key management stuff for the DoD. I was told I could put TEMPEST on my resume, but I was not allowed to tell anyone what it was. On can imagine the kind of odd job-interview situations this produces.

Yup. I still remember a call on an open line asking me what the TEMPEST rating of a Symbolics LISP Machine was (I bought the first one at NSA). I told him I didn't know, then called him on a secure line to explain I wasn't permitted to divulge that in the open.

Maybe, but acoustical emissions are also a real security problem, especially with electromechanical devices. I've read about buildings that were modified with passive acoustic channels to allow an intelligence service to spy on the occupants from a safe distance.